CVE-2024-8956 – PTZOptics PT30X-SDI/NDI cameras with firmware b... (How to Fix)

Q: What is the severity of CVE-2024-8956?

CVE-2024-8956 has a CVSS score of 9.1 (CRITICAL). PTZOptics PT30X-SDI/NDI cameras with firmware before 6.3.40 have an authentication bypass vulnerability in the param.cgi endpoint. Attackers can remotely access and modify sensitive configuration data without credentials, including usernames, password hashes, and camera settings. Organizations using these cameras for live streaming or surveillance are affected.

📋 TL;DR

PTZOptics PT30X-SDI/NDI cameras with firmware before 6.3.40 have an authentication bypass vulnerability in the param.cgi endpoint. Attackers can remotely access and modify sensitive configuration data without credentials, including usernames, password hashes, and camera settings. Organizations using these cameras for live streaming or surveillance are affected.

💻 Affected Systems

Products:

PTZOptics PT30X-SDI/NDI series cameras

Versions: All firmware versions before 6.3.40

Operating Systems: Embedded camera firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the specific camera models mentioned; other PTZOptics models may have similar issues but are not confirmed.

📦 What is this software?

Pt30x Ndi Xx G2 Firmware by Ptzoptics

View all CVEs affecting Pt30x Ndi Xx G2 Firmware →

Pt30x Sdi Firmware by Ptzoptics

View all CVEs affecting Pt30x Sdi Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete camera compromise allowing configuration overwrite, credential theft, and potential lateral movement to connected systems.

🟠

Likely Case

Unauthorized access to sensitive camera configurations, credential harvesting, and camera settings manipulation.

🟢

If Mitigated

Limited impact if cameras are isolated on internal networks with strict firewall rules.

🌐 Internet-Facing: HIGH - Directly exposed cameras can be fully compromised remotely without authentication.

🏢 Internal Only: MEDIUM - Internal attackers or malware could exploit this to gain camera access and potentially pivot to other systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only HTTP requests to the vulnerable endpoint without authentication headers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware 6.3.40

Vendor Advisory: https://ptzoptics.com/firmware-changelog/

Restart Required: Yes

Instructions:

1. Download firmware 6.3.40 from PTZOptics support site. 2. Access camera web interface. 3. Navigate to firmware update section. 4. Upload and apply the new firmware. 5. Reboot camera after update completes.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate cameras on separate VLANs with strict firewall rules blocking external access to camera management interfaces.

Access Control Lists

all

Implement IP-based restrictions to only allow authorized management stations to access camera web interfaces.

🧯 If You Can't Patch

Segment cameras on isolated networks with no internet access
Implement strict firewall rules blocking all external access to camera management ports (typically 80, 443, 554)

🔍 How to Verify

Check if Vulnerable:

Send HTTP GET request to http://[camera-ip]/cgi-bin/param.cgi without Authorization header. If it returns configuration data, the camera is vulnerable.

Check Version:

Check camera web interface System Information page or send HTTP request to camera status endpoint

Verify Fix Applied:

After updating to firmware 6.3.40, repeat the vulnerable check. It should return authentication error or no data.

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts followed by successful param.cgi access
Unusual configuration changes in camera logs

Network Indicators:

HTTP requests to /cgi-bin/param.cgi without Authorization headers
Unusual traffic patterns to camera management interfaces

SIEM Query:

source_ip="camera_network" AND (url_path="/cgi-bin/param.cgi" AND NOT http_headers CONTAINS "Authorization:")

📊 Metadata

CVE ID: CVE-2024-8956

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-306

Published: September 17, 2024

Last Updated: October 27, 2025

🔗 References

https://ptzoptics.com/firmware-changelog/ Release Notes
https://vulncheck.com/advisories/ptzoptics-insufficient-auth Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-8956 US Government Resource
https://www.greynoise.io/blog/greynoise-intelligence-discovers-zero-day-vulnerabilities-in-live-streaming-cameras-with-the-help-of-ai Third Party Advisory
https://www.labs.greynoise.io/grimoire/2024-10-31-sift-0-day-rce/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8956, you might also want to check these: